Recommended reading

DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs

News
By published

DragonForce found stealing files and deploying encryptors

A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
(Image credit: Getty Images)
  • Sophos spots DragonForce ransomware attack leveraging three bugs
  • The flaws were found in SimpleHelp SMM platform
  • The victim was a major managed service provider (MSP)

The DragonForce ransomware group is chaining multiple SimpleHelp vulnerabilities to breach systems, steal sensitive files, and deploy an encryptor, experts have warned.

In a blog post, Sophos MDR researchers noted they were alerted to the incident when a “suspicious installation” of a SimpleHelp installer file was spotted on the system of a Managed Service Provider (MSP).

That provider ended up suffering a ransomware infection, but one of its clients was enrolled with the company’s MDR and had XDR endpoint protection deployed, alerting the researchers.

White label model

SimpleHelp is a self-hosted remote support and remote access software. In January 2025, it was found to be carrying three vulnerabilities: a multiple path traversal flaw (CVE-2024-57727), an arbitrary file upload vulnerability (CVE-2024-57728), and a privilege escalation flaw (CVE-2024-57726).

Now, Sophos says DragonForce hackers are chaining these three to deploy the ransomware.

“The installer was pushed via a legitimate SimpleHelp RMM instance, hosted and operated by the MSP for their clients,” the researchers explained.

“The attacker also used their access through the MSP’s RMM instance to gather information on multiple customer estates managed by the MSP, including collecting device names and configuration, users, and network connections.”

Sophos did not name the victim, or the third party that successfully thwarted the attack.

DragonForce has been rather active in recent times. In late April 2025, it was reported the group had introduced a new business model to the ransomware scene, one which involves cooperating with other gangs.

Apparently, the group was seen offering a white-label affiliate model, allowing others to use their infrastructure and malware while branding attacks under their own name.

With this model, affiliates won't need to manage the infrastructure and DragonForce will take care of negotiation sites, malware development and data leak sites.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.